Remember Stuxnet, anyone? It never became totally clear who was behind – speculations range from the CIA to Mossad to the flying spaghetti monster; at least two of these might be interested in Stuxnet's main target, Iranian nuclear facilities with neglected Windows installations. Now, parts of Stuxnet's code seem to have been recycled in a different type of malware, a trojan horse.
Duqu shares a great deal of code with Stuxnet; however, the payload is completely different. Instead of a payload designed to sabotage an industrial control system, the payload has been replaced with general remote access capabilities. The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party.
According to Symantec, Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors or at least programmers that have access to the Stuxnet source code and appears to have been created since the last Stuxnet file was recovered. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.
Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). Interestingly, the threat does not self-replicate. Symantec's telemetry indicates the threat was highly targeted toward a limited number of organizations for their specific assets. It may be possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.
Duqu uses HTTP and HTTPS to communicate with a command-and-control (C&C) server that is still operational. The attackers were able to download additional executables through the C&C server, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out.
The threat uses a custom C&C protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received. Finally, the threat is configured to run for 36 days. After 36 days, the threat will automatically remove itself from the system.